diff --git a/.github/workflows/nodejs-org.yml b/.github/workflows/nodejs-org.yml index 1da0130d..0d3c428e 100644 --- a/.github/workflows/nodejs-org.yml +++ b/.github/workflows/nodejs-org.yml @@ -18,7 +18,7 @@ jobs: update-nodejs-org: if: github.repository == 'nvm-sh/nvm' && github.actor == 'ljharb' permissions: - contents: none + contents: read # for the "Extract and validate version" step's `gh api .../tags` call via the default github.token name: 'Create PR to nodejs/nodejs.org' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index 8ecb3b09..1c4b85b7 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -2,16 +2,12 @@ name: Automatic Rebase on: [pull_request_target] -permissions: read-all +permissions: + contents: write # for ljharb/rebase to push code to rebase + pull-requests: read # for ljharb/rebase to get info about PR jobs: _: - name: "Automatic Rebase" - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v6 - - uses: ljharb/rebase@master - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: ljharb/actions/.github/workflows/rebase.yml@main + secrets: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml index 9428b1df..a685b8ac 100644 --- a/.github/workflows/require-allow-edits.yml +++ b/.github/workflows/require-allow-edits.yml @@ -2,10 +2,14 @@ name: Require “Allow Edits” on: [pull_request_target] -permissions: read-all +permissions: + contents: read jobs: _: + permissions: + pull-requests: read # for ljharb/require-allow-edits to check 'allow edits' on PR + name: "Require “Allow Edits”" runs-on: ubuntu-latest diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3be3016e..3facf241 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -8,7 +8,7 @@ permissions: jobs: tests: permissions: - contents: write + contents: read # for actions/checkout@v6 name: "tests" runs-on: ubuntu-latest diff --git a/.github/workflows/windows-npm.yml b/.github/workflows/windows-npm.yml index 8c005723..90dd6e11 100644 --- a/.github/workflows/windows-npm.yml +++ b/.github/workflows/windows-npm.yml @@ -94,6 +94,8 @@ jobs: bash.exe "%USERPROFILE%\setup.sh" wsl_matrix: + permissions: + contents: none continue-on-error: true name: 'WSL nvm install' defaults: @@ -187,6 +189,8 @@ jobs: node -v wsl_matrix_unofficial: + permissions: + contents: none continue-on-error: true name: 'WSL nvm install' defaults: